from the that's-not-how-it's-supposed-to-work dept

Not this again. For years, we were perplexed by the war on mod chips, which could be used to allow people to play pirated games, but also had plenty of legitimate uses as well, especially for developers and hackers. The same was true of the war on smart card readers. Yes, they could be used to get pirated TV, but they were also useful for lots of other, perfectly legitimate projects as well. The latest, however, appears to be a Microsoft update with some new drivers that were completely destroying devices that have fake FTDI chips. People started noticing that right after the Windows update devices using those chips were suddenly dead. Bricked. It's not that they wouldn't connect any more -- it's that the software update actively bricked the devices and you can't get them back.

FTDI chips are quite popular with hackers and there are plenty of them out there -- both real and fake. And, quite frequently, developers/hackers have no idea if their FTDI chips are legit or not, because they just buy devices that include them, and they assume they're legit. But the drivers in that Windows update didn't care and bricked any one using a fake FTDI chip. As Ars Technica notes, this really sucks for a bunch of hackers who never even did anything wrong.

The result of this is that well-meaning hardware developers updated their systems through Windows Update and then found that the serial controllers they used stopped working. Worse, it's not simply that the drivers refuse to work with the chips; the chips also stopped working with Linux systems. This has happened even to developers who thought that they had bought legitimate FTDI parts. It can be difficult to tell, and stories of OEMs and ODMs quietly ignoring design specs and using knock-offs instead of official parts are not uncommon. As such, even hardware that was designed and specified as using proper FTDI chips could be affected.

Every USB device has a pair of IDs. One, the Vendor ID (VID), is allocated by the USB group. Each vendor has its own unique VID and uses that VID on every USB device it makes. The second is the Product ID (PID), allocated by the vendor, with each distinct chip type having its own PID. Windows uses the VID/PID pair to figure out which driver a given piece of hardware needs. The counterfeit chips use FTDI's VID and set the PID to the PID of whichever chip it is they're cloning (FTDI has a range of similar parts, each with their own PIDs).

The new driver reprograms the PID of counterfeit chips to 0000. Because this PID does not match any real FTDI part, it means that FTDI drivers no longer recognize the chips and, hence, no longer provide access to them. This PID is stored in persistent memory, so once a chip has been reprogrammed it will continue to show this 0000 PID even when used with older drivers, or even when used with Linux.

It's not entirely clear if this is something FTDI did on purpose or not (though, their comments below suggest they did), but it is worrisome, and it's simply not okay -- whether it was on purpose (in which case it's potentially illegal) or not (in which case it's just bad).

Sherwin Siy, over at Public Knowledge does a nice job explaining why copyright (or other IP laws) are never a legitimate reason to break a device -- even if a contract warns it might happen (as is apparently the case with FTDI).

The fact that disabling countless devices without warning can harm millions of innocent users and manufacturers should be a screaming sign that this is the wrong thing to do. And if they’re doing this deliberately, this is wrong not just in the sense of being unethical, but illegal, too.

This is something that people seem to forget in the IP space, and also in the technology space, which makes it unsurprising that we see it here. It’s the same impulse that leads people to ask if they can shotgun a drone that strays onto their property (No, no more than you can torch a car that parks in your driveway), or whether you can destroy the computers of people who have illegally downloaded your song.

So whether or not FTDI has any trademark rights, copyrights, or other rights in whatever the knockoff chips are copying, the actual physical chips themselves are the property of their users, and FTDI doesn’t have the right to break them. A French vintner can’t stroll down the aisles of an American wine store with a hammer, shattering bottles of “California Champagne.” Roving gangs of Nike enforcers can’t rip fake Jordans off the feet of passing kids. And we don’t have Givenchy shock troops marching down Canal Street taking flamethrowers to fake handbags. If your IP rights are being infringed, the proper course of action is to go to court, not take the law into your own hands.

Unfortunately, in this era of intellectual property maxmalism, people seem to forget these things. They assume that if you have a "fake" chip then obviously it's "okay" to break the device, because they falsely seem to believe that copyrights and trademarks and the like give the holder "all the rights over everything," rather than a limited set of rights over certain things. FTDI's response to all of this (including removing the driver from the latest Windows update) suggests (but does not outright claim) that it did this on purpose:

As you are probably aware, the semiconductor industry is increasingly blighted by the issue of counterfeit chips and all semiconductor vendors are taking measures to protect their IP and the investment they make in developing innovative new technology. FTDI will continue to follow an active approach to deterring the counterfeiting of our devices, in order to ensure that our customers receive genuine FTDI product. Though our intentions were honourable, we acknowledge that our recent driver update has caused concern amongst our genuine customer base. I assure you, we value our customers highly and do not in any way wish to cause distress to them.

Honorable intentions or not, counterfeit products or not, actively going in and breaking the property of others is not an acceptable response.

from the respect-my-non-existent-authority! dept

The Texas Dept. of Public Safety has apparently decided that if you'd like to be allowed to drive a vehicle in the state, you'd also perfectly fine with a criminal booking-style fingerprinting and having those immediately uploaded to a criminal database (that reps swear isn't a criminal database).

The other day at the Texas driver’s license center, while paying for my required in-person renewal, the clerk said it was time to take my fingerprints.

What?

Really. Quietly, earlier this year, the Texas Department of Public Safety began requiring full sets of fingerprints from everyone who obtains a new driver’s license or photo identification card. This applies to those who come in as required for periodic renewals, but it doesn’t apply to mail-in renewals.

Not only that, but since 2010, Texas law enforcement has been running facial recognition searches on DPS license photos with its Image Verification System.

When Lieber exposed this, thanks in part to a former DPS employee (who noted the full set of prints are uploaded to AFIS [Automated Fingerprint Identification Service], creating a record in criminal databases if no previous record exists), a spokesman for the agency said it was perfectly legal plus pretty awesome at fighting crime.

A DPS spokesman tells me that the 9-year-old law makes a clear reference to fingerprints so the new fingerprint collection system is legal.

DPS spokesman Tom Vinger says, “It is important to understand that the purpose of this process is to combat fraud, identity theft and other criminal activity, including potentially thwarting terroristic activity. Making sure that people are who they say they are in the process of issuing government identification is a critical safeguard to protect the public against a wide array of criminal threats.”

The Department is confident in its legal authority to collect 10-prints. The authority exists in current statute, including Transportation Code 521.059, (see below), and in current administrative code. The technology upgrade was funded by the Texas Legislature…

Sec. 521.059. IMAGE VERIFICATION SYSTEM. (a) The department shall establish an image verification system based on the following identifiers collected by the department:

(1) an applicant’s facial image; and (2) an applicant’s thumbprints or fingerprints.

(b) The department shall authenticate the facial image and thumbprints or fingerprints provided by an applicant for a personal identification certificate, driver’s license, or commercial driver’s license or permit using image comparison technology to ensure that the applicant:

(1) is issued only one original license, permit, or certificate; (2) does not fraudulently obtain a duplicate license, permit, or certificate; and (3) does not commit other fraud in connection with the application for a license, permit, or certificate.

(c) The department shall use the image verification system established under this section only to the extent allowed by Chapter 730, Transportation Code, to aid other law enforcement agencies in:

(1) establishing the identity of a victim of a disaster or crime that a local law enforcement agency is unable to establish; or(2) conducting an investigation of criminal conduct.

Vinger may be correct that the DPS is allowed to collect prints as the result of this law, but it's not specifically ordered (or permitted) to collect all 10 prints. Note that the section quoted says "thumbprints or fingerprints." This "or" is important. A look at the actual amendments to existing law shows that the DPS isn't actually required to demand a full set of prints.

(b) The application must include: (1) the thumbprints of the applicant or, if thumbprints cannot be taken, the index fingerprints of the applicant;

So, there's no legal backing to Vinger's claims. Sure, the DPS is technically permitted to collect all 10 prints, but only because nothing specifically forbids this practice. But the law does not demand all 10 prints be provided in order to obtain a license or identification card. The law only asks for thumbprints or index prints.

This is why it was rolled out quietly. The DPS has no legal "authority" to demand a full set of prints before handing out a license. What it can do, however, is ask for them. At this point, supplying a full set of prints is purely voluntary. The DPS can't prevent you from obtaining a license if you refuse, but the whole system is set up to make it appear as though it's mandatory.

Bill co-author Juan M. Escobar, who in 2005 was a state representative from Kingsville, said he recalled the point of his bill was to prevent immigrants living in the U.S. illegally from obtaining a driver’s license.

“I think the intent of the bill was to ensure that the individual was the right person that was applying for a driver’s license,” said Escobar, now county judge in Kleberg County. “The intent was to avoid the privacy issue violation. We’ll just do the thumbprint or the index finger. That was my intent.”

He added, “If they’ve gone past the law, there’s nothing that gives them that authority.”

Escobar mentions illegal immigration. DPS rep Vinger mentions terrorism. Both used tangential hot-button issues to further the amount of information demanded by Texas in exchange for a highly-essential part of everyday life. But the DPS is now exceeding even the questionable aspects of a law predicated mostly on fear. (As Lieber points out in the comments, even the 2005 law was partially motivated by terrorism fears, prompted by Gov. Perry's 2005 Homeland Security Action Plan. [pdf, p. 36])

The state gave the DPS the authority to collect index prints if thumbprints couldn't be obtained. For whatever reason, the DPS -- nearly a decade later -- has decided to roll out a very imaginative reading of the 2005 statute. Worse, it's claiming its interpretation of words that aren't actually there is "legal authority." And when questioned, it's falling back on "terrorism" and but-surely-you-want-criminals-to-be-caught rationalizing.

from the urls-we-dig-up dept

If you believe in gender stereotypes, then you probably think that men are better drivers than women. However, auto insurance companies are inclined to believe that women are actually safer drivers. It's a hotly debated topic, but it's safe to say that there are lots of bad drivers -- both men and women -- on the road. That's why we need robot cars. Here are a few links to some driving-related studies.

from the not-happily-though dept

Following the brouhaha that erupted earlier this week after Creative Labs took down forum posts from a driver modder, the company has given in and restored the posts, recognizing that it needed to do so for PR reasons. However, the statement that it released to The Register (at the link) basically says that everyone misunderstood Creative's position. Creative claims it was only worried about other company's IP being infringed, which could potentially put everyone in legal hot water. That could be true, but it still handled the whole thing rather awkwardly.

from the how-dare-you-help-people! dept

It appears that Creative Labs is the latest company to shoot itself in the foot over "intellectual property" issues. Apparently, many users have been upset that Creative has failed to support certain systems, and a user in the Creative Labs' forums started releasing drivers to make things actually work or work better. Creative struck back and has removed the various threads in their forums discussing these drivers (thanks to Joe for sending in the link). Basically, this user, Daniel_K was making Creative products work better, and Creative has forced him to stop, claiming that it's violating their intellectual property rights. From a legal standpoint, Creative is probably absolutely right. But from a business perspective, the move seems suicidal. Just read a few of the comments in the long thread following the announcement from Creative. Many people were buying Creative products because of Daniel's mods, and will now look elsewhere. This seems like yet another case of IP laws being used to hold back innovation, rather than encourage it.